I'd agree if it was Dave the newsagent, but this is Tesco here. What on earth would they have to gain from programming their systems to enable card cloning fraud?
(rather, they're set up so that the petrol pump machine/till device reads only the chip of chip-bearing cards, and only the magstripe of chipless cards, as you might expect)
In message , at
08:15:24 on Wed, 14 Nov 2007, John B remarked:Although the pump in Chelmsford that I mentioned earlier, and which didn't require any PIN, was a Tesco one.
I used a couple of C&P PoS terminals in Texas the other week. Both of them seemed to work OK with my (UK issued) C&P cards.
I recall being quite disappointed that the contagion had spread so far :-(
Yep, I found it :-)
Roland Perry wrote (in uk.railway):
No, I don't think I am, but nevertheless it seems to me to be an entirely valid hypothesis, even if it is unlikely to be true in most cases.
In fact, yes, I suppose I *am* making that hypothesis, so long as you don't infer that I believe it more likely to be true then false!
However, I can be confident that if I only stick one end of the card into a device then it *won't* be being skimmed.
They invariably do, and usually without a supervisor intervention. (B&Q, however, in a similar situation, refused.)
Fair point. I agree that ATMs present a problem. Pragmatically, I have to apply a level of trust around machines which are clearly operated by a bank (though preferably the bank that issues the card that I want to use). I can rationalise this by recalling that I am not doing anything more risky than in the pre-C&P days. Retailers are a different matter, though.
I shouldn't have to weigh up such subjective factors!
When the 'PIN and skim' petrol-station fraud was a hot topic, the industry defence was that the cardholder needn't have let the cashier have control of the card, and only needed to insert the chip-end of the card into the PIN pad.
A sophisticated fraudster working as a cashier in Tesco's could do it without Tesco's involvment. It doesn't sound any more implausible than sticking a false front on an ATM.
In any case, the fact that Tesco's is a Very Big Company cuts both ways. The risk of 'PIN and skim' may be small, but equally, why is the country's biggest(?) retailer not able to allow cardholders to exercise the vigilance that is advised (see above) without them having to make a fuss?
How can cardholder's be conditioned to exercise that vigilance in Dave the newagents if a retailer like Tesco won't play ball?
Yes I am not doubting that there is a chip reader at the base of the swipe-thru magstripe reader. This has been explained to me in B&Q as though it somehow makes a blind bit of difference. It's the fact that it has potentially been swiped as well that is problematic.
Neither do I doubt that a chip-based authentication is taking place.
I am, however, sceptical about your suggestion that they either read the magstripe or use the chip, but not both. The swipe action clearly occurs before any chip locates itself in the reader. Does the cashier have to swipe again if there is no chip? Or does the magstripe get read just in case there turns out to be no chip? I suspect the latter.
Now, Why *do* Tesco insist on swiping? Dave the newagent seems to have sorted himself out. Why can't Tesco? What do they need from that magstripe?
Anyone know?
That depends on the Gas Stations. Some do not require zip codes. Also long as your card has the Maestro, Visa (Not electron), or Mastercard logo it should work at the pump. U.K. is suppose to support zip code verification. Your card should still have the magnetic strip to work in the U.S.
Most likely the connection to network was down, so it falls back to signature when this happens.
Greg Rozelle
But the UK doesn't use zip codes, we have a six or seven character alphanumeric postcode, such as "SW1A 0AA" or "SE1 8XX".
See
Except that they were missing the point. The BP PIN pads did, and still do have deep slots that read the magstripe as the card goes in. The chip reader is right at the bottom. It didn't matter who put the card in because the pad was rigged. If you only inserted the chip end into the reader it would not reach the chip reader. Typical industry defense.
It has a magnetic stripe and worked everywhere else. Just not in pay-at-the-pump. And I did try putting in the two digits from my post code, I also tried all zeros and a valid US zip. None were accepted.
AFAIK post code verification is only used in card not present transactions. Along with the security code.
It just upset the cashier that I followed the instructions on the PIN pad.
But then there was an item on the news a couple of days back about a 47 year old woman being told she could not buy wine in Waitrose because she didn't have ID when the till asked the cashier to verify age.
The local co-op had a more with it cashier who laughed when his till asked him to verify age on a purchase of Alcohol Free Lager.
I see. I wasn't aware of that. It seems a pretty poor state of affairs.
In the case of Tesco, it appears that that the inability to dip the card into the pinpad is a design feature, and not a c*ck-up as sometimes suggested by staff.
Perhaps I should bite the bullet and ask my card company directly whether it's okay to allow retailers to swipe the card if they also require a PIN? If they say no, then BP would be obliged to take a signature. But maybe I am labouring under a false presumption as to what the advice would be.
It would be absurd if they said it was okay provided the retailer had more than a threshold turnover, or square footage.
BTW, wasn't it Shell rather than BP?
"Rob." wrote
The story was better than that. The woman was accompanied by her 22-year old daughter, who did have ID which would verfify her age. When her daughter asked if she could buy the wine, she was told she couldn't 'as she might pass it to this other customer.'
Peter
On the bright side, she's now got a guaranteed cosmetics advertising career, hasn't she.
Is her name Edina Maggott, or something like that?
a magnet (shops that still swipe could always type in your card no.) ?
with a magnet (shops that still swipe could always type in your card no.) ?
Seems like a reasonable idea, so long as you don't go abroad to a non-C&P country, as MX is that only in the UK will people key the number in.
I have suggested before that the banks could offer as an option two cards instead of one - one with strip only for non-UK use, and one with chip only for UK use. I would pay a reasonable fee for such a service, as it would make my card very secure indeed against being skimmed.
Neil
Yes I stand corrected. There was a local BP station that was the centre of some scam - but they dod not have the "total immersion" PIN pads.
Or you could achieve the same effect for free by taking out two credit cards, destroying the chip in one and the magstripe on the other...
with a magnet (shops that still swipe could always type in your card no.) ?
Repeated for Neil. Don't know if this will work. If you try converting your zip code to numbers.
Rob, Don't know if this will work. If you try converting your zip code to number.
Tesco in Reading have this week activated the Chip readers on the PIN pad, and staff are now instucting customers to use this rather than hand the card over. There is new display material around the PIN reader to highlight this change to customers.
Duncan
BeanSmart website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.